Jedi Knight III
BaseJKA Security Fix
Before I begin this review, I must send out my most sincere apologies to a lovely lady named Sarah. I'm so terribly sorry I DDoS'd the [i]crap[/i] out of your server in the process of testing this
patch. I'm even more sorry that I happened to do it during a ranked ladder TFFA match that I was completely unaware of at the time. [img]http://www.filefreak.net/images/smilies/eek2.gif[/img] Can you ever forgive me? :( On to the review! This patch supposedly prevents various types of attacks on JKA servers. The attacks in question are Denial Of Service, buffer overflow, "fake players". As a bonus, the patch also corrects the inherent terrible-ness of JKA's built-in logging system with various enhancements to server logs. Sounds good, doesn't it? Well, I'm going to keep this short, because otherwise I might end up circumventing FileFront's Acceptable Use Policy, and being fired and possibly sued is never a good thing. Let me just say that I found one inherent flaw with this. It only tends to work against these attacks when they are generated by the various utilities scattered around the internet. When using such a utility (which the author kindly - albeit unintentionally - provided me with for testing purposes), the patch worked like a dream on blocking Denial Of Service attacks. It was only semi-successful with the fake players - I managed to flood JA+, Lugormod and Makermod servers to the point of them having hardware crashes, yet JAE was tight as a button. (I didn't try ClanMod, so if anyone would like to test it for me and post the results in the comments, it would be appreciated - just let your server provider know that you're going to attempt a flood attack first so that they don't cut your service!) (I've never had a buffer overflow error in my life, and wouldn't know how to replicate it even if I tried, since baseJKA automatically caps off command strings at a reasonable limit below the crash-point level.) However, when not using a utility - i.e. carrying out manual attacks - there was really no change in the effects between when this patch was installed and when it wasn't. I still managed to thrash the servers* the same way I could even if the patch hadn't been installed, but I believe that's probably because unlike a program, humans are dynamic - we don't follow a pre-set subroutine and therefore we're less predictable, and thus the patch can't really block us because it doesn't know what to expect, therefore since it doesn't know what to expect it doesn't know how to react. So, as a general rule, against someone who [i]really[/i] knows what they're doing, the effects of this security fix will be limited. However, since that kind of "hacker" is generally working at security software companies earning a six-figure salary rather than sitting at home crashing game servers, all you have to worry about are the little Matrix-era haxor kiddies who make up stories about "hackin' mainframes and shizzle" when they tell their friends about how they downloaded an Eminem MP3 - and against that kind of person, this patch will do a very nice job of securing your server. Server owners, this patch may just do you a few favours, so it's a very useful add-on to have in your defensive arsenal. Oh, and as a side note, if any of you [i]are[/i] one of the haxor kiddies I described above, then please do society a favour, and take the [i]blue[/i] pill. >_> ~ Kouen * I would just like to add as a postscript, that I would never do such a thing for any reasons other than purely scientific or technological ones.